FACTORING INTEGERS USING ELLIPTIC CURVES OVER Q 



XIUMEI LI, JINXIANG ZENG 

Abstract. For the integer D = pq oi the product of two distinct odd primes, we construct an cUiptic curve 
E2rD '■ = — 2rDx over Q, where r is a parameter dependent on the classes of p and q modulo 8, and 
show, under the parity conjecture, that the elliptic curve has rank one and Vp(x{[k]Q)) 7^ Vq(x([k]Q)) for 
odd k and a generator Q of the free part of i?2ri3(Q)- Thus we can recover p and q from the data D and 
x([k]Q)). Furthermore, under the Generalized Riemann hypothesis, we prove that one can take r < clog* D 
such that the elliptic curve i?2rD has these properties, where c is an absolute constant. 



1. Introduction and Main Results 

It is a basic problem in coding theory to search for methods to factor the integers of the form 
D = pq, where p ^ q are odd primes, as fast as possible. Recently Burhanuddin and Huang [H] 
introduce a new method to factor the integer D = pq with p = q = 3 mod 16, by computing a 
rational point of the elliptic curve Ed : = — Dx. They prove that, under the parity conjecture, 
the elliptic curve has rank one and the x-coordinate x{Q) of a generator Q of the free part of the 
rational points E£){Q) has unequal valuations at p and q, and thus one can recover p and q from 
the data D and x{Q). Furthermore, they conjecture that factoring D is polynomial time equivalent 
to calculating the generator Q. 

Following the idea, in this paper, we factor the general D of the form D = pq with odd primes 
p ^ q, by computing a rational point of some elliptic curve attached to D and some parameters, 
for which we need to construct an elliptic curve over Q which has rank one and the valuations at 
p and q of the x-coordinate of the generator of the free part of the rational points of the elliptic 
curve are not equal. For the symmetry of p and q, we always assume the least residue of p modulo 
8 is less than or equal to that of q modulo 8. If D ^ 1 and p ^ I mod 8, the construction of the 
elliptic curve is easily. If D = 1 but p ^ 1 mod 8 (resp. D ^ 1 but p = 1 mod 8) , we need 
to introduce a parameter of prime / in some class of integers modulo 8 which satisfies (y) = — 1 
(resp. (y) = (j) = —1) to construct the elliptic curve. If D = p = 1 mod 8, the most complicated 
case, we need to introduce two parameters of primes li and I2 in some different classes of integers 
modulo 8 which satisfy (^) = (^) = —1 and (^)(^) = —1 to construct the elliptic curve. So in 
the case p = 1 mod 8, we could factor D probably with probability of success at least |. The 
detailed construction of the elliptic curves and the main results of the paper are as follows. 

For simplicity, we always denote Em the elliptic curve = x^ — mx for the integer m, and rh 
the class of m in (Z/8Z)* for odd m. We define ag = 07 = 5 and ag = 3. 

Theorem 1.1. Let D = pq, where p and q are distinct odd primes and p ^ 1 mod 8. We consider 
the elliptic curve E2D if D ^ 1 mod 8 and the elliptic curve E21D if D = 1 mod 8, where I is a 
prime in the class aq satisfying (y) = —1. Then, under the parity conjecture, these elliptic curves 
have rank one and the valuations at p and q of x- coordinate x[[k]Q) are not equal for any odd k, 
where Q is a generator of the free part of the rational points -E2d(Q) or -E2/Z)(Q)- Thus we can 
recover primes p and q from the data D and x{\k]Q). 
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Notice that in the case D = 1 but p ^ 1 mod 8, we must have p = q mod 8. For even k we may 
not get Vp{x{[k]Q)) ^ Vq{x{[k]Q)). The construction of the eUiptic curve in the case p = I mod 8 
is more comphcated. 

Theorem 1.2. Let D = pq, where p and q are distinct odd primes and p = 1 mod 8. If D ^ 1 

mod 8, we consider the elliptic curve E21D, where I is a prime in Ug and satisfies (-y) = (j) = — 1. 
If D = 1 mod 8, we consider the elliptic curve £"2/1/2-0 ? where li and I2 are primes in 3 and 7 
respectively, and satisfy (^) = (^) = —1 and (^)(^) = —1- Then, under the parity conjecture, we 
have the same result for these elliptic curves as that in Theorem 1.1 above. 

It is weh known that the least quadratic non-residue of a prime p is O(log^p), under the Gener- 
ahzed Riemann Hypothesis (GRH). Using the result in [11], we further show that the parameters 
/ and /1/2 in the theorems above can be taken small, relative to D. Namely we have 

Corollary 1.3. Given D, a product of two distinct odd primes. Assume the parity conjecture and 
GRH. There exists an odd integer r such that 

(1) r < clog^ D, where c is an absolute constant; 

(2) the elliptic curve E2rD has rank one; 

(3) Let Q be a generator of £^2rZ)(Q)/-E'2rD(Q)tors, then oi<ip{x{[k]Q)) / oi(iq{x{[k]Q)) for any 
odd integer k. 

To show the elliptic curves in theorems 1.1 and 1.2 have rank one under the parity conjecture 
and to calculate the valuations of x{Q) at p and g, we need first compute the Selmer groups of 
these elliptic curves, for which we use the homogeneous spaces of the corresponding elliptic curves. 

The paper is organized as follows. In section two we compute the Selmer groups of these elliptic 
curves, which is a little bit tedious due to the extra parameter r. In section three we calculate 
the ranks of these elliptic curves under the parity conjecture. In the last section we compute the 
valuations of the x-coordinate of the generator of the free part of the rational points of these elliptic 
curves, and prove the three results above. 

2. Computation of the Selmer groups 

In this section we determine the Selmer groups of the elliptic curves appeared in our theorems in 
the introduction, for which we first show two lemmas that give a sufficient and necessary condition 
when an element is in the Selmer group for a family of elliptic curves which are more general than 
those appeared in our theorems. 

2.1. Two lemmas. As in the introduction, D = pq\s a. product of two distinct odd primes. Let 

r be a positive integer such that 2rD is squarefree. Then the elliptic curve E2rD over Q has 
an isogenous curve -E2rD '■ = x'^ + 8rDx, and the two isogenics are (p '■ E2Dr — > El^j^^ and 
(f) : £^2Dr — ^ -^2Dr defined by 

6((x V)) - -y^'^^^ + -") \ Mix V)) - yi8rD-x^) \ 

n{x,y))-^^,, ^2 ) and <P{{x,y)} - j 

respectively, see the example 4.5 in [7] Chap. HI. 

Let S = {00} |J{2} U •S'o with = {primes dividing Dr}, and Q(5, 2) the subgroup of Q7Q*2 
generated by the elements in {— 1} U{2} U 'S'o- For d G Q(5, 2), the corresponding homogeneous 
spaces are defined to be the curves 

Cd : dw^ = d^ + SDrz"" and C'^ : dw^ = d^ - 2Drz^. 

By [~] Chap. X, Prop. 4.9, the Selmer groups have the following identifications: 

S'^^\E2Dr/Q) = {de Q{S, 2) : Cd{Qv) / for ah v G S}, 
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S'^^XE'^Dr-m = {d^ Q(S, 2) : C'Mv) / for all v G 5}, 
and forthermore 2Dr G 5'W(S2Dr/Q) and - 2Dr G ^(^H^^^^/Q). 

Lemma 2.1. About the elements of the (p-Selmer group S^^\E2Dr/Q) ^ Q{S,2), we have 
(1) Let d G Q(5,2). Ifd<0, then d ^ ^^(SsDr/Q). 

,2)2.5<*.,wQ)^{|:;,r.i: 

(3) For 2A; G Q(5, 2) wii/i A; G Sq, 

(f) = l,tG5o\{A;} 

A:G5W(i?2Dr/Q)^ <! (^) = 1 

/c = 1 mod 8 

(f) = l,tGSo\{fe} 

2fcGSW(i^2Dr/Q)^ <! (^) = 1 

Dr/k = 1 mod 8 



(4) For distinct ki,k2 G Sq, 



2Dr 



y kik2 = 1 mod 8 

Proo/. (1) It is clearly Cd{R) = if d < and Cd{R) / if d > 0. 

(2) For d = 2, the curve C2 is VF^ = 2 + 4DrZl Write f2{Z, W) = W"^ - ADrZ"^ - 2. 

^ As 2 G 5W(-S2Dr/Q), we see C2{Qt) / (t G {2]\JSq). For t = 2, take G C2(Q2). 

Then V2{z) < and V2{w) = 1 + 2^2(2;). Put z = 2~'^zq, w = 2^~^*wo, where i > 0, and zq, wq G Z2 
satisfy Wq = 2^*~^ + Drz^, and thus Dr = 1 mod 8. 

For t G So, take {z,w) G C2(Qt). Then vt{z) > 0,t;j(w;) = and = 2 + 4Drz^, so we have 

(!) = !• 

^ Obviously C2(M) / 0. For t = 2, put /2(Z, W; i) = W"^ - DrZ^ - 2^'-^, where i > 1, then 
■;^2(/2(l,l;«)) > 3 > 2u2(/2^^(l,l;i)) = 2, by Hensel Lemma [7] Exercise 10.12, f2iZ,W;i) = has 
a solution, say (2:0,^0), in Zg. Note that (2~*zo, 2^~^*^«o) £ C'2(Q2)- 

For t G So, as (|) = 1, there exists a G Z such that = 2 mod t, and so Vt{f2{0,a)) > 1 > 
2vt{f2 ^)) = 0- Hensel Lemma, we have C2{Qt) / 0- 

(3) For k G Sq, we have 2k G Q(S', 2). We only show the second. The proof of the first is similar. 
Let d = 2k. Write f2k{Z, W) = - ADrZ^/k - 2k. 

=^ Since 2k G 5W(^2Dr/Q), we see C2k{Qt) / (t G {2}U5'o). For t = 2, take {z,w) G 
C2fc(Q2)- Then V2{z) < 0,V2iw) < 0, and V2{w) = 1 + 2?;2(z). Put z = 2^''zo,w = 2^~'^^wo, where 
i > 0, and 20,1^0 S Z2 satisfy u>o = 2^'^~^k + Drz^/k, so we get Dr/k = 1 mod 8. 

For t = k, take (2:,^) G C2fc(Qfc). Then ^^(2;) < 0, f/fc('u;) < and Vk{w) = 2vk{z). Put z = 
k~^zo,w = k~'^^wo, where i > 0, and zq,wo G Z^ satisfy ■Wg = 2A;^*+^ + 4Z)r/A:2:Q. So we have 
(^) = L 

For t G 5o \ {k}, take (z.-u;) G C2fc(Qt). Then vtiz) > 0,vtiw) = and w"^ = 2k + ADrz^/k, we 
see (f ) = 1. 

^ Obviously C2fc(M) / 0. For t = 2, put /2fc,2(^, W^; ^) = - ADrZ'^/k - 2'^^-^k, where 
i G Z>i, then U2(/2fc,2(l, > 3 > 2?;2(/2fc,2,u,(l' 1;*)) = 2, by Hensel Lemma, /2fc,2(-Z', TV; i) = 
has a solution {zq,wq) in Zg. Note that (2~*zo, 2^~^V;o) is a solution of f2k{Z,W) = 0, and so 

C2fc(Q2)/0. 
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For t = k, put f2k,k{Z,W;i) = - ADrZ^/k - 2k'^'+^, where i > 0, since (^) = 1, there 
exists a G Z such that = ADr/k mod fc, and so Vk{f2k,k{^,o,;i)) > 1 > 2wfc(/2^ ^(1, a; z)) = 0. 
By Hensel Lemma, f2k,k{Z,W;i) = has a solution {zo,wo) G Q|. Note that (A;~*zo, A;~^*wo) is a 
solution of /2fc(Z, W") = 0, and thus C2k{Qk) + 0- 

For t G S'o \ {A;}, there exists 6 G Z such that l? = 2k mod t, and thus t'i(/2fc(0, 6)) > 1 > 
2vt{f2ii ^(Ojb)) ~ 0- Hensel Lemma, we have C2k{Qt) 7^ 0- 

(4) Consider d = kik2 with A;i, fea G 5o. Write fk,k2(.Z, W) = - - kik2. 

=^ Since kik2 G 5('^)(S2Dr-/Q), we have CkMQt) / (t G {2}U5o). For t = 2, we take 
(z, G Cfc^fc2(Q2)- Then ^2(2:) > 0,V2iw) = satisfy = fci/c2 + ff^-^^, and thus /cifea = 1 



mod 8. 

For t = ki, take (z,?/;) G Cfc^fcalQfci)- Then Vfci(2;) < 0,VkT^{w) < and ■Ufciltt') = 2vki{z). Put z = 
k^'zo,w = k^^'wo, where z = -Vk-,{z) > 0,Vk^{zo) = Vkj{wo) = 0, we have = A:f+^/c2 + 



2Dr 



and thus ( '"^^^ ) = 1. The case t = A;2 is similar. 

For t £ So\ {/ci,A;2}, take {z,w) G Ck-^k2{Qt)- Then vt{z) > 0,vt{w) = and satisfy w'^ = 
kik2 + ^z^, which implies (^) = L 

<;= Obviously Ckik2(^) 7^ 0- For t = 2, since fci/ca = 1 mod 8, we see f2(/fciA:2 (0; 1)) ^ 3 > 
2«2(/I,fc,,^(0, 1)) = 0, and by Hensel Lemma, Ck,k2{Q2) + 0- 

2Dr 

For t = k^(% = 1, 2), set fk,k2M{Z, W'i) = - ^ Z^ - kf+^ k2 with i > 0. As (^) = 1, there 
existsa G Zsuchthata^ = |^ mod /ci, and so Ufc,(/fcifc2,fci(l, a; 0) > 1 > (/fcifc2,fci,i«(l' ^5 ^)) = 
0. By Hensel Lemma, fkik2,kii^'^ '■>''') ~ ^ ^ solution {zo,wo) G Ql^ - Note that {k^^zo,k^'^^wo) 
is a solution of fkik2{^i ^) = 0) that is Cfe^fc2(Q/fc^) / 0. The case t = ^2 is similar. 

For t G 5o \ {^1,^2}) as (^i^) = 1, there exists 6 G Z such that = kik2 mod t, and thus 
vt{fk^k2{0,b)) > 1 > 2vt{fl^i^,^^JO,b)) = 0. By Hensel Lemma, we see CkMQt) / 0- □ 



Lemma 2.2. About the elements of the (j)-Selmer group 

S^'^He'^Dv/^) ^ QiS,2), we have 

Dr = 1 mod 4 
t = 1 mod 4, t G 5o 



r^; -1 G 5W(4^,/Q) ^ I 

(2) For 2 G Q(S, 2) 



D 

(^) = l,tG5o 



("5; For 2eA; G Q{S, 2) mi/i k £ Sq and e = ±1, 



;f) = l,tG5o\W 

efcG5W(F;vQ)^ (:^^) = i 

A; — 2Dr/k = e mod 8 or k = e mod 8 

r (M) = i,te5o\W 
2efcG5W(ii;;^,/Q)^ <^ (^^) = 1 

2A; — Dr/k = e mod 8 or — Dr/k = e mod 8 
f.^; For eA;i/c2 G Q(5, 2) mt/i ki ^ k2 € So and e = ±1, 



ekik2 G 5(?)(£;2 



2_Dr 



(^^) = l,t = A:i,A: 



(#^) = i,ie5o\{LM 

A:iA;2 — = e mod 8 or /ciA;2 = e mod 
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Proof. (1) For ^ = -1^ write f-i{Z, W) = -W"^ + 2DrZ^ - 1. 

=^ Since -1 G S^^^E'^^JQ), we have C'_^{Qt) / (t G {2}U5'o). For t = 2, take {z,w) £ 
C'_i{Q2)- Then V2{z) = 0,V2{w) = 0, and -1 = 1- 2Dr mod 8, that is Z^r = 1 mod 4. 

For t G So, take {z,w) G Ci^{Qt)- Then > 0, vt{w) = 0, and thus (^) = 1. 

^ Obviously C_^{R) / 0. For i = 2, since Dr = 1 mod 4, we have f2(/-i(l, 1)) 
> 3 > 2u2(/li^^(l, 1)) = 2. By Hensel Lemma, we see Ci^{Q2) / 0- For t G 5o, since (^) = 1, 
there exists a G Z such that = —1 mod t, and so 'yt(/_i(0, a)) > 1 > 27;t(/l^ ^(0, a)) = 0. By 
Hensel Lemma, we get C__i{Qp) 7^ 0. 

(2) We only show the case d = 2. The case d = -2 is similar. Write /2(Z, W) = + DrZ^ - 2. 

=^ Since 2 G 5W(4Dr/'Q)' we see C'^iQt) / (t G {2}USo). For t = 2, take {z,w) G C2(Q2). 
Then ^2(2) < 0, U2('U^) < and iv^ = 2 — Drz^. If f2(-z) = 0, then Dr = 1 mod 8; if V2iz) < 0, then 
V2{w) = 2v2{z). Put z = 2~^zq,w = 2~'^'^wq, where i > 0,zo,wo G ^2 ^^^^ ■Wq = 2^*+^ - -DrzQ, and 
so Dr = — 1 mod 8. 

For t G ^0, take {z,w) G C'^iQt)- Then z;t(z) > 0,vt{w) = and satisfy = 2 - Dz^. Thus 
(!) = !■ 

^ Obviously C2(M) / 0. For t = 2, if = 1 mod 8, then D2(/2(1, 1)) > 3 > 2v2{f2,y,{l, 1)) = 
2. By Hensel Lemma, weseeC2(Q2) / 0; if I^r := -1 mod 8, put f2iZ,W;i) = W'^ + DrZ^-2^'+'^, 
where i > 1, then V2{f2{lA;i)) > 3 > 2t;2(/2,^(l, 1; i)) = 2. By Hensel Lemma, C2(Q2) / 0- For 
t G 5*0, since (|) = 1, there exists a G Z such that = 2 mod t, and so Vt{f2{0,a)) > 1 > 
2vt{f2 ^(0, a)) = 0. By Hensel Lemma, we have C2{Qt) / 0- 

(3) 'We only consider d = 2ek. Write f2ek{Z, W) = eW"^ + Dr/kZ^ - 2k. 

=^ Since 2ek G S^'^'^E'^j^JQ), we have C'^^ki'^t) / (t G {2}U5'o). For t = 2, take {z,w) G 
C2,fc(Q2)- Then ?;2(z) < 0,?;2(w;) < and ew'^ = 2k - If ^2(2) = 0, then 2k - Dr/k = e 

mod 8, and if V2{z) < 0, then —Dr/k = e mod 8. 

For t = k, take {z,w) G C2^;.(Qfc). Then Vk{z) < 0,Vk{w) < and Vk{w) = 2vk{z). Put 
z = k~^zo,w = k~'^^wo, where i > 0, and zo,wo G satisfy etiiQ = 2k'^^~^^ — Drz^/k. Thus 

(^) = 1. 

For t G So \ {A;}, take G C'^^ki'^t)- Then > Q,vt{w) = and ew;^ = 2k - Dr/kz^. So 

(¥) = !• 

^ Obviously C'^^k^^) / 0. For t = 2, if 2k - Dr/k = e mod 8, then U2(/2.fc(l, 1)) > 3 > 
2^2(4fc,^(l, 1)) = 2; if -Dr/k = e mod 8, put f2eK2{Z,W;i) = eW^ + Dr/kZ^ - 2^^+^k, where 
i > I, then t'2(/2£fc,2(l, 1; ^)) > 3 > 2'y2(/2eA,' 2 u;!-*^' ^)) ~ ^- -^^ case, by Hensel Lemma, 

C2ekm^(l>. 

For t = k, put f2ek,kiZ, i) = eW^ + Dr/kZ^ - 2k^'+^ , where i > 0, since (^^^) = 1, there 
exists a G Z such that = —eDr/k mod A;, and so Vk{f2tk,k{)--,o.]i)) > 1 > 2ffc(/2efc fc ^)) ~ 

0, by Hensel Lemma, f2ek,k{Z,W;i) = has a solution (2;o,ifo) G Q|. Note that {k~^zo,k~'^^'Wo) G 

For t E Sq \ {k}, since (^) = 1, there exists 6 G Z such that = 2ek mod t, and so 
^t(/2.fc(0,6)) > 1 > 2vt{f'2,k,JO,b)) = 0. By Hensel Lemma, we have C'^.kiQt) + 0- 

(4) For ekxk2 G Q(5,2) with ki,k2 G Sq distinct and e = ±1. Write /efcifc2(^,W^) = el^^ + 

^ Since ekxk2 G 5W(4^,/Q), then C ^^^^^^(Slt) ^ % {t {2}U'5o)- For t = 2, take {z,w) G 
C[k,k,{^2)- Then t;2(z) > 0,^;2(u;) = and ew"" = k^k2 - if V2{z) = 0, then k^k2 - = e 

mod 8; if V2{z) > 0, then kik2 = e mod 8. 
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For t = ki, take {z,w) £ C'^kiki^^k^) ■ Then Ufci (2) < ^,Vk^{w) < and Vk^iw) = 2vk^{z). Put z = 
k^''ZQ,w = k^'^^'wo, where i = -Vk^iz) > 0,Vkj^{zo) = Vk^^iwo) = 0, we have ew"^ = /cf+^/c2 + j^z^, 

2eDr 

and so {-^-) = 1- The case t = k2 is similar. 

Fort G S'o\{A:i,A;2},take {z,w) G C^fc^fc^(Qf)- Thenvt{z) > 0,vt{w) = and ew^ = kik2 + ^z^, 
which implies (^^) = 1. 

^ Obviously C^fe^fc^lM) / 0. For t = 2, if kik2 = e mod 8, we have ^2(^^1/02(0, 1)) > 3 > 
2^2(4,fc„^(0, 1)) = 0] if feiA:2 - 1^ = e mod 8, then ^;2(/efcife(l, 1)) > 3 > 2t;2(4^,^,^(l, 1)) = 0. 
By Hensel Lemma, C^kik2{.Q2) 7^ in any case. 

2egr 

For t = ki, put f,krk2{Z,W;i) = eW^ - - kf+^k2, where i > 0. Since (^) = 1, there 

exists a£Z such that = mod ki, and so Vk^ifek^kii'^^a^i)) > 1 > 21-/01 (/^^^fc2,t«(l' *)) = 0- 

By Hensel Lemma, fekik2{^iW;i) = has a solution {zo,wo) G Note that {k^^zo,k^'^^wo) G 

^efcifc2('^'=i)- '^'^^ ^^^^ t = k2 is similar. 

For t G 5o \ {ki, k2}, Since (^^i^) = 1, there exists 6 G Z such that = ekik2 mod t, and thus 
t^t(/.fcite(0, 6)) > 1 > 2vtU',k^k2A^^ ^)) = 0- By H^^s^l Lemma, we see C;;.,^;.^(Qt) / 0. □ 

2.2. The Selmer groups. We now determine the Selmer groups of the elliptic curves appeared 
in our theorems in the introduction, by the lemmas above. We first recall the notations. For odd 
integer m we always write fh for the class of m in 'L/S'L, and define ag = = 5 and ag = 3. When 
p ^ 1 and D ^ 1 mod 8, we consider the elliptic curve E2d- When p ^ 1 but D = 1 mod 8 taking 
a prime I in aq satisfying (y) = —1, or when p = 1 but D ^ 1 mod 8, taking a prime / in ag 
satisfying (y) = (j) = —1, we consider the elliptic curve E2id- When p = D = 1 mod 8, taking 
a prime li in 3 and a prime I2 in 7 satisfying (^) = (^) = —1 and (^)(^) = —1, we consider the 
elliptic curve £21^120- We can state our result now. 

Proposition 2.3. Let D = pq he the product of two distinct odd primes p,q. Then for r = 1,1, 
and I1I2, where l,li,l2 are defined as above, we always have 

S^*HE2rD/Q) = Z/2Z and ^(^^(Ssr-D/Q) = (Z/2Z)2. 

Proof. By the two lemmas above, we can determine the elements in Selmer groups of E2rD easily, 
where r = 1,1, lil2- We only consider r = I1I2 as an example. 

In this case, S = {oo}U{2}U{p, q, /i, Z2} and Q(5, 2) =< —l,2,p,q,li,l2 >, where p = q = l,li = 
3,l2 = 7 mod 8 and they satisfy (£) = (£) = -! and (|-)(|) = -1. Without loss of generality, 
we can assume (^) = 1,(^) = —1 and (j^) = 1. By Lemma 2.1, one can check all the elements in 
2), except for 1 and 2pqhl2, are not in S^"*^) (E2rD /Q) • So S^'>'\E2rD/Q) = {1, 2^^1/2} = Z/2Z. 
For S^'^\e'2j.£)/'Q), by Lemma 2.2, one can check 



5^(4, 



{l,-p/2,2g/i,-2Dr}, if(2) = l 



2rD/^)-^ {l,-2ph,ql2,-2Dr}, if (2) = -1 



Thus we have S^^^E'^^^/Q) ^ {Z/2Zf. □ 

3. Computation of the conjectural rank 

Let E be an elliptic curve over Q with conductor Ne- By the Modularity Theorem [1], the L- 
function attached to E is the Mellin transform of a normalized Hecke eigenform for Tq{N) and thus 
admits an analytic continuation to entire function satisfying the functional equation 

Ae(2 -s) = W{E)AEis), where Ae{s) = fJ\2T:)-'T{s)LE{s), 
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and W{E) = ±1 is called the global root number. 

Let r|," and r^; be the analytic rank and arithmetic rank of E, where r|," is the order of vanishing 
of Le{s) at s = 1 and ve is the abelian group rank of -E'(Q). Up to ve, there is a famous conjecture: 

Conjecture 3.1. ( Parity Conjecture ) (-1)''^ = W{E). 

By Conjecture 3.1, to get the parity of the rank of elliptic curve E, we need to calculate the global 
root number W{E). In fact, W{E) = — Htji/B '^v{E)., where Wy{E) is the local root number. For 
the local root number Wv{E), there are richly good conclusions such as [6]. However, due to the 
special choice of our elliptic curve, the global root number equals to —1 by the following lemma, 

Lemma 3.2. Let E2N : y"^ = — 2Nx be an elliptic curve over Q with 2N square-free, then 
W{E2n) = -1. 

Proof. By [10], for any integer d such that d ^ mod 4, the global root number of the elliptic 
curve Ed : y'^ = x'^ — dx , has the following formula. 



WiEd) = sgn(-d) • eid) ■ J] (y ) 



p2||d,p>3 

where 

-1 if d = 1, 3, 11, 13(mod 16) 

ifd=2, 5, 6, 7, 9, 10, 14, 15( mod 16), 

which ten us T4^(^27v) = -1- □ 



In the following, we denote dim2 the Z/2Z-dimension of a Z/2Z- vector space. 

Corollary 3.3. Let E2Dr be the elliptic curve in Prop. 2.3. Assume that Parity conjecture holds, 
we have 

rE,^^ = l and TS((4^JQ)M) = 0. 

Proof Since E2Dr{Q)[2] = {O, (0,0)} ^ Z/2Z, and (l){E2Dr{Q)[2]) = {O}, by the exact sequences 
[7] P.298, 314, 301 

sfeSr S('l'\E2Drm TS{E2Dr/QM ^ 



E2Dr{Q) 







<t>{E2Dr{Qm) 't>{E2Drm 2S2C,(Q) <I>{E'^oM)) 

we get the following equality 

rE,r,r + dim2(TS(i?2Dr/Q)M) + dim2(TS(4^JQ)[0]) 

= dim2(5W(i?2Dr/Q)) + d\m2{S^^\E'2Dr/m " 2. (3.1) 

Since dim2(5('^)(-^2Dr/Q)) = 1 and dim2(5(^)(^2Dr/Q)) = 2 by Prop. 2.3, we have 

rE,r,r + dim2(TS(i?2Dr/Q)M) + dim2(TS(4^,/Q)M) = 1. 
Lemma 3.2 gives us the result. □ 
Remark 3.4. In fact, we only need the weak form of the parity conjecture: 

W{E) = -l^ rE>l. 
About the parity conjecture, one can refer to [4], which is the recent work by Tim Dokchiter. 
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4. Proof of the main results 



In this section we show the theorems and the coroUary in the introduction. We have proved these 
elhptic curves in our theorems have rank one under the parity conjecture. It is easy to show that 
the torsion part of -E'2rZ)(Q) is generated by T := (0,0), see [7] Chap. X, Prop. 6.1. Let r = 1,/ or 
I1I2 as in Prop. 2.3, and let Q € £^2_Dr(Q) satisfy -B2_Dr(Q) =< T > +ZQ. To complete the proofs 
of Theorem 1.1 and Theorem 1.2, we need yet to show Vp{x{[k]Q)) / Vq{x{[k]Q)) for odd k. 

We recall some standard notations. For an elliptic curve E over a local field K with residue field 
k, we denote E the reduction of E over k, Ens{k) the set of non-singular points of E{k), Eq{K) the 
set of points with non-singular reduction, Ei (K) the set of kernel of reduction, E the formal group 
associated to E. We first give the upper and lower bounds and parity of the valuations at p and 
q of the x-coordinate of any rational points of E2Dr- Fix t = p or q once for all. We consider the 
question in the following four cases according to the value of vt{x{Q)). The following discussion 
holds for any E2rD which has rank one and has only two torsion points. 

Case I. vt{x{Q)) = a > 3 (note that a is odd) : Using Tate's algorithm [(S] Chap. IV, §9,, we 
know that the Tamagawa number q equal to 2, that means E2DriQt) / E2Dr,oiQt) — Z/2Z. Since 
Q ^ E2Dr,oiQt), we see 



wejet vt{x{[2]Q)) = 2 - (1 + a) = -(a - 1) < 0, then [2]Q G ^2Dr,i(Qt). By E2Dr,i{Qt) = 
E2Dr{t'Lt) = tZt,{x,y) ^ {z{x) = -^,w{z)) H> z{x) = -|, where Vt{x) = -2vtiz{x)) and [7] 
Chap. IV, Prop. 2. 3, we have the equality 



[2k]Q G ^2Dr-,0(Qt), [2k + 1]Q G E2Dr{Qt) \ ^2Dr-,o(Qt)- 



By the duplication formula. 



x{[2]Q) 



x{Q)^ + ADxjQ)^ + AD^ 
4x(Q)3 - 8Dx{Q) 



vtizi[2k]Q)) = vt{[k]z{[2]Q)) = vt{2k) + — 



Now we get the result 



vt{x{[2k]Q)) = -2vt{2k)-{a-l), 



which implies 



vt{x{[2{2k + 1)]Q)) = -2vt{2{2k + 1)) - (a - 1) = -2vt{2k + 1) - (a - 1) 



again by the duplication formula, we have the relationship 



vt{x{[2{2k + l)]Q)) = 2 - (1 + vt{x{[2k + l]Q))) = 1 - vt{x{[2k + 1]Q)), 



and so we get 



vt{x{[2k + 1]Q)) = 2vt{2k + 1) + a. 



On the other hand, by the chord and tangent principal, we have the relationship 



x{R) ■ x{R + T) = -2Dr, R G ^2Dr(Q) \ {O, T] 



so 



vt{x{[2k]Q + T)) = 2vt{2k) + a, 
vt{x{[2k + 1]Q + T)) = -2vt{2k + 1) - (a - 1). 



By the above analysis, we have 




-2 > vtix{[2k]Q)) = mod 2 
3 < vtix{[2k + l]Q)) = 1 mod 2 
3 < vt{x{[2k]Q + T)) = 1 mod 2 
-2 > vtix{[2k + 1]Q + T)) = mod 2. 
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Case II. vt{x{Q)) = 1 : by the duplication formula, vt{x{[2]Q)) = 0, then Ens{^t) =< [2]Q >, 

where [2]Q is the reduction of [2]Q at the place t. But \Ensi^t)\ = t, so [2t]Q = [t]{[2]Q) = O . Write 
b := —vt{x{[2t]Q), then b > 2 and even. By the duplication formula again, we have vt{x{[t]Q) = 

1 + b. As Ens(¥t 



:< [2]Q >, we see 

vt{x{m2]Q)) 
li t\k, similarly to the Case I, we have 

vt{xi[2k]Q) = -2vt{2k) 
Thus for any non-zero integer k, we have 

vt{x{[2k]Q) ' ° 

vt{x{[2k + 1]Q) = 
vt{x{[2k]Q + T) 

vt{x{[2k + l]Q + T) = 



0, for 1 1 k. 



and 



-2vt{2k) - (6- 

1 

2vt{2k + l) + (5- 
1 

2vt{2k) + {b 





(6- 


2). 






if 


t]k 


2) 


if 


t\k, 




if 


t]2k + l 


-1) 


if 


t\2k + 1, 




if 


t]k 


-1) 


if 


t\k, 



(6-2) 



if 
if 



-2vt{2k + 1) 

By the analysis of parity and it symbol further, we get 

> vtix{[2k]Q)) = mod 2 

1 < vtix{[2k + 1]Q)) = 1 mod 2 
1 < vtix{[2k]Q + T)) = 1 mod 2 
-2 > vt{x{[2k + 1]Q + T)) = mod 2. 

From Case I and Case II, we know that if vt{x{Q)) > 1, then 

> vt{x{[2k]Q)) = mod 2 

1 < vt{x{[2k + l]Q)) = I mod 2 
l<vt{x([2k]Q + T)) = l mod 2 
-2>vt{x{[2k + l]Q + T)) = Q mod 2. 



i t 2A: + 1 
t\2k + 1. 



(4.1) 



Case III. vt{x{Q)) = : we have Ens{^t) =< Q >, where Q is the reduction of Q at the place 
t. Similarly to the discussion in the Case II, we have for any non-zero integer k, 



and 



vt{x{[2k]Q) 
vt{x{[2k + 1]Q) = 
vtix{[2k]Q + T) 

vt{x{[2k + 1]Q + T) = 











2vt{2k) - {c - 2) 
(c-2) 



if 
if 



-2vt{2k + l) 
1 

2vt{2k) + (c 
1 



1) 



if 
if 

if 
if 



if 
if 



t\k 
t\k, 

t]2k + l 
t\2k + 1, 

t]k 
t\k, 

t]2k + l 
t\2k + 1, 



2vt{2k + 1) + {c - 1) 

here c := —Vt{x{[t]Q), by the group law, we know that c > 2 and is even. By the analysis of parity 
and ± symbol further, we have 

> vtix{[2k]Q)) = mod 2 

> vtixi[2k + 1]Q)) = mod 2 

1 < vtix{[2k]Q + T)) = 1 mod 2 
1 < vtix{[2k + 1]Q + T)) = 1 mod 2. 



10 XIUMEI LI, JINXIANG ZENG 

Case IV. vt{x{Q)) < —2 : Write n := —Vt{x{Q)). Then n is even. By the formal group, we have 
for any non-zero integer k 

vtixi[k]Q)) = -2vt{k)-n. 

Furthermore by the relationship 

x{R) ■ x{R + T) = -2Dr, R G ^2Dr(Q) \ {O, T} 

we have 

vt{x{[k]Q + T)) = 2vt{k) + in + l). 
Finally we get the following result: 

' -2 > vt{x{[2k]Q)) = mod 2 
-2 > vt{x{[2k + 1]Q)) = mod 2 
3 < vtix{[2k]Q + T)) = 1 mod 2 
3 < vtix{[2k + 1]Q + T)) = 1 mod 2. 

From Case III and Case IV, we know that if Vt{x{Q)) < 0, then 

> vt{x{[2k]Q)) = mod 2 
Q>vt{x{[2k + l]Q)) = Q mod 2 

1 < vt{x{[2k]Q + T)) = l mod 2 ^ ' 
l<vt{x([2k + l]Q + T)) = l mod 2. 

Now we can show theorem 1.1 and theorem 1.2. 

Proof of theorem 1.1 and theorem 1.2. Let r = 1,1 and I1I2 be the same as theorem 1.1 and 
theorem 1.2. We only need to show the part about the valuations. First we claim that there exist 
i?2 G ^2rD(Q) such that for i = 1, 2 

Vp{x{Ri)) + 1 = Vq{x{Ri)) mod 2 and Vp{x{Ri)) ■ Vq{x{Ri)) < 0. (4.3) 

We only show the claim in the case {p,q) = (5,5) mod 8 and (^) = 1. The proofs in other cases 
are similar. 

In this case, the prime I is in the class = 3 and satisfies (-j) = —1. For the elliptic curve E21D: 
we have TS(4,o/Q)[^]) = and 5(?)(4,^/Q) = {1, -q, 2pl, -2DI}. Thus C'_g{Q) / 0, C'^^iiQ) + 
0. Take {z\,w\) G C2pi{Q) and {z2,W2) G C_^(Q). One can see Vp{zi) < 0,Vq{zi) > and 
Vp{z2) > 0,Vq{z2) < 0. Denote the images of (zi,wi) and (^2,^2) under the following isomorphism 

C'd > E2Dr, (z,W;)l ^(^'^)' 

by Ri and R2 respectively. Namely Ri := (^, ^^^^^ ) and R2 ■= {-t,-^t^)- Then i?i,i?2 satisfy 
the relations (4.3). 

By (4.1), (4.2) and the claim, we see Vp{x{Q)) and Vq{x{Q)) are impossible to satisfy simultane- 
ously > 1 or < 0. Thus we have Vp{x{Q)) > l,Vg{x{Q)) < or Vp{x{Q)) < 0,Vq{x{Q)) > 1. By the 
parity in (4.1) and (4.2), we have for k £ Z 

Vp{x{[2k + 1]Q)) / Vq{x{[2k + 1]Q)) 

and 

Vp{x{[2k + 1]Q + T)) / vq{x{[2k + 1]Q + T)). 

□ 

Remark 4.1. By analyzing the elliptic curve = x^ — rDx for some proper parameter r, one can 
also get the same results as those in our theorem 1.1 and theorem 1.2. But now one should consider 
all possibilities of {p,q) as elements of (Z/16Z)*^. 
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Remark 4.2. From the above proof, we see that any point of infinite order in -E'2rD(Q) leads to factor 
D (if the point is of even order, use the duplication formula to "halving" it). Since rank(E2rD{Q.)) = 
1, beside standard methods, there are two other possibilities of finding a point of infinite order. 
One possibility [9] is using the L-function of E2rD, the second possibility [2] is by constructing 
a Heegner point on E2rD{Q.), both methods are still quite efficiently for conductor of moderately 
large(say 10^ to 10^). But, for cryptographic D, both methods don't work. 

Remark 4.3. Burhanuddin and Huang [-5] have proved that, if the naive height of a generator of 
free part of E£i{Q) with D = pq,p = q = 3 mod 16, grows polynomially in log A, where A is 
the minimal discriminant of Eo, then factoring D is polynomial time reducible to computing the 
generator of the group Ed{Q). As noted in [5], there is a conjecture of Lang [-3] saying that the 
log height of generator is (approximately) bounded above by D^^^^ and is widely believed that this 
upper bound is is accurate for "most" elliptic curves. More precisely, it is a folklore conjecture that 
the probability that a generator P of E£){Q) has a generator with height h{P) < D^^^^ is less than 
D~'^ for some absolute constant c. Even though the additional parameter r leads to a family of 
curves which are suitable for factoring D, it's unlikely to find one, whose height of generator grows 
polynomially in log A. 

The following lemma shows that the least additional parameter r in our theorem 1.1 and theorem 
1.2 has a small upper bounds. 

Lemma 4.4. Given positive integers k, m, there exits a constant c dependent only on m and k 
such that for any sequences of pairwise different odd primes pi, . . . ,pk, signs ei, . . . , E { — 1, 1}, 
and an integer a coprime to m, where pi J(m for all i, the least odd prime I satisfying 



e,-, 1 < i < k, and I = a mod m 



is upper bounded by clog^ {Y\^^^ pi) . 
Proof. Let 

Pi if^^l mod 4 n<i<k) 
* I Api otherwise ' 

and Ki = Q{^/di),l < i < k. Then Gal{Ki/Q) ~ {1,-1}. Identifying the two groups, we have 

(£i) = (^^^y The latter is the Artin symbol. 

Let Kq = Q(Cm)) where Cm is a m-th primary root of unity. We have Gal(i^o/Q) — (Z/mZ)* 

( Ko/Q \ 



and / = a mod m if and only if y i j = cl mod m G Gal(-fCo/ 

Let K = Q{^/pl, • • • ; y/Pk, Cm), which is an abelian extension of Q. An odd prime / is unramified 
in K if and only if / /"i]^^^^ dj. For such I, we have 



) iO<i<k). 



Since pi, ■ ■ ■ ,pk are pairwise different and (pi ■ ■ -pk, rn) = 1, we have KiCiKj = Q for < i / j < fc, 
and so we have the isomorphism 

Gal(J^/Q)~ Yl Gal(J^,/Q) a ^ {a\KJo<^<k. 

0<i<k 

Thus there exists a unique a S Gal(Er/Q) such that cjlft-. = for 1 < i < k and o'\ko = mod m. 
By [11] Th. 3.1(3), there exists a prime / < (1 + o(l)) log^d A^^ |) such that = (7, where 

Ak is the discriminant of K. For fixed k and m, one can get easily that there exists a constant 
c' > satisfying \ Ak\ < c'{Ui=iPi) ■ Thus we can find a constant c, dependent on m and 



12 



XIUMEI LI, JINXIANG ZENG 



k, such that there exists a prime / < clog^(n^=i Pi) satisfying (y) = ej for 1 < i < A;, and I = a 
mod m. □ 

Proof of Corollary 1.3 . We show that there exists r < c ■ log^D such that the elhptic curve 
E2rD has the required properties (2) and (3) in corohary 1.3. We choose r as fohows: 
If D ^ 1, p ^ 1 mod 8, we take r = 1. 

If D = 1, p ^ 1 mod 8, we take r to be the least prime / satisfying (y) = —1 and I € aq. By 
the lemma above, there exists a constant C2 > such that r < C2 log^(D). 

li D ^ 1, p = 1 mod 8, we choose r to be the least prime I satisfying I G aq, (^) = —1, (|) = 1. 
By the lemma above, there exists a constant ci > such that r < ci log^(D). 

If D = 1, p = 1 mod 8, we choose r to be the product of two least primes li,l2 which satisfy 

= 1, = —1, Zi € 3 and = —1, = 1, ^2 G 7, respectively. By the lemma above 

there exists a constant C3 > such that r = I1I2 < C3 log^(-D). 

By theorem 1.1 and theorem 1.2, for the r chosen above, the elliptic curve E2rD has the properties 
(2) and (3) in corollary 1.3. □ 
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